You are on page 1of 4

INTERNATIONAL GRADUATE SEMINAR ON INFORMATION TECHNOLOGY: SMART HOMES

1

Security in Wireless Systems
Tobias Knaup, Technische Universit¨ t M¨ nchen a u
series of bits. In contrast, block ciphers expect the input data to be presented in chunks of fixed length. Another challenge of cryptography is to verify the integrity of messages received from an untrusted source or over an insecure channel. Hash functions are commonly used for this purpose. They take a data stream of any length as input and produce a fixed length output. The mathematical laws that hash functions are based on leave only a negligible statistical possibility to find a message that has a certain hash value. This is especially due to the fact that the value is completely different if only one bit of the input data is changed. Yet another type of algorithms, called Cyclic Redundany Check (CRC)1 is used to calculate a checksum of a given chunk of data. They are based on polynomial division and are thus a linear function of their input. This is appropriate for detecting random errors, e.g. caused by bad quality of the transmission channel, but miserably fails if ”errors” are being caused by intention. It is generally very simple to adjust the CRC value to comply with modifications without full knowledge of the data it is supposed to protect. In this document, the symmetric stream cipher RC4 and the symmetric block cipher AES (also known as Rijndael) will be referred to. Furthermore the discussed protocols apply a keyed hash function called ”Michael” and a 32-bit CRC. III. R EQUIREMENTS OF W IRELESS S ECURITY To address the security requirements of wireless networks, the 802.11 standard is intended to enforce three main security goals as follows [1]: • Confidentiality: Unlike in wired connections, the transmission medium is not physically bounded in wireless systems. Moreover, in most installations unidirectional propagation takes place. It is thus inevitable that the signal reaches unauthorized mobile stations in the range of a base station. To protect the transmitted frames from eavesdropping, the data has to be encrypted. • Access control: In most cases, access to a wireless network has to be limited to a certain user group. To achieve this, the 802.11 standard describes an optional feature to verify that the user has knowledge of the network’s current secret key which is also used for encryption. • Data integrity: Unfortunately, air does not constitute a perfect medium for data transmission. Depending on the enviromental conditions, physical phenomena like scattering or fading might spoil the data during propagation. To verify that a received message has not been altered during transmission, a checksum field is appended to each message.
1 By definition, a CRC is not a cryptographic function, since it does not aim at hiding information. I just list it here for simplicity.

Abstract— The IEEE 802.11 standard for wireless local area networks introduced a protocol called Wired Equivalent Privacy (WEP) intended to provide link-layer security. Unfortunately, some grave security holes have been discovered in WEP which invalidate all of its protective features. For that reason, new protocols aiming at the elimination of these issues have been developed. In this paper, I will introduce WEP and point out its most severe architectural flaws as well as the practical attacks that result from them. I conclude that WEP totally fails in achieving its main security goals and present its improved successors. Because some vulnerabilities have been discovered in those protocols too, I will briefly depict them in the end.

I. I NTRODUCTION

W

IRELESS networks are commonly used in today’s homes and offices. The widely deployed products that comply to the 802.11 standard all incorporate the WEP protocol to secure the wireless transmission against eavesdropping and modification. WEP utilizes well-known cryptographic algorithms to achieve this task. I will start with an overview of cryptograhic basics in section II. Then I will point out the requirements of wireless security in section III as they have been defined in 802.11. Section IV describes the mechanisms that have been implemented to meet these requirements. But as we will see in section V, some fundamental errors have been made during the design process. Unfortunately these errors lead to security holes big enough to be easily exploited by virtually anyone owning a computer with a wireless LAN adapter. I will briefly describe some of the possible attacks in section VI. The availability of these simple attacks clearly is a major threat to the numerous wireless networks that have already been installed. A solution had to be found quickly, and it had to be of such nature that it could be deployed as an upgrade to the hardware components already in use. In section VII, I will present the immediate upgrade that has been developed, as well as the long-term solution that has been described in a new standard. The flaws that have been discovered in these new protocols will also be covered in this section. II. C RYPTOGRAHICAL BASICS Cryptographic functions used for concealing information can be divided into symmetric and asymmetric algorithms. The former simply uses the same series of bits (the key) to encrypt and decrpyt the data whereas the latter needs two different ones denoted as the secret and the public key. Regarding the shape of data that can be encrypted, a subdivision into block- and stream-ciphers is being made. Stream ciphers are capable of scrambling an arbitrarily long
This work was supervised by Dipl.-Ing. Johanna Weindl and presented on July 13, 2006 at TUM. The author’s e-mail address is tobi@knaup.biz.

INTERNATIONAL GRADUATE SEMINAR ON INFORMATION TECHNOLOGY: SMART HOMES

2

IV. I MPLEMENTATION A. Confidentiality To assure data confidentiality, the 802.11 standard suggests symmetric encryption of the transmitted data packets. This is done by combining the plaintext packets Pi and a pseudo random keystream with the logical exclusive-or (XOR) operation to get the ciphertext packet Ci . The keystream is produced by the RC4 algorithm. Even though RC4’s output is called pseudo-random, it is a function of the data being fed to it. The input data is always the concatenation of a secret key k, shared among all members of a wireless network, and an initialization vector (IV) v which can be different between packets2 . Thus, the encryption process can be denoted by Ci = Pi ⊕ RC4(v, k). (1)

the CRC-32 value of each plaintext frame is appended to it before encryption. As I already mentioned, CRCs are not cryptographically secure, i.e. they can be easily adjusted to modifications of the data. This issue was thought to be solved by encrypting the CRC together with the actual data to hide it from an adversary. V. T HE MAJOR S ECURITY F LAWS A. Key length Because of U.S. Government regulations limiting the export of cryptographic technology, the original 802.11 standard did not utilize keys of more than 64 bits size by the time of its design. On top of that, the effective length of the secret key k is only 40 bits. The maximum size applies to the key that is fed to the RC4 algorithm. And as we already know, this key includes the 24-bit initialization vector v, leaving only 40 bits for k. As it turned out that a 40-bit key can be recovered by a fairly simple brute-force attack using homegrade computers, several equipment manufacturers started offering a non-standard 128-bit version of WEP. But again, this includes v, leaving 104 bits for k then. Keys greater than 80 bits, for robust implementations, are said to be unbreakable by contemporary computers, rendering brute-force attacks on this flavor of WEP impossible [2]. B. The handling of IVs

Recovery of the original plaintext data Pi at the receiver side is done by regenerating the keystream and combining it with the received ciphertext according to Ci ⊕ RC4(v, k) = (Pi ⊕ RC4(v, k)) ⊕ RC4(v, k) = Pi . (2) As stated above, the receiving station has knowledge of the secret key k. In order to accomplish the decryption task, it also needs the initialization vector v which is therefore simply prepended to the encrypted packet before transmission. B. Access Control The 802.11 specification defines two schemes to control access to a wireless network: open-system authentication and shared-key authentication. The former is required to be done, whereas the latter is optional. This concept is very deceptive if one is unaware of the internals, because the “open-system authentication” technique does not truly authenticate the clients. It simply requires them to respond to the access point’s initial message with a MAC address. However, the nonmandatory shared-key scheme does one-way validation of the client based on a two-stage challenge-response exchange. In the first stage, the client advertises its will to join the network to the access point (AP). The AP’s reply consists of an ideally random sequence called the challenge which is sent in clear text. In the second stage the client is forming the response by encrypting the received challenge like a regular data packet as described above. If the AP is able to decrypt the response to the original challenge, it will assume that the requester holds the secret key of the network and therefore grant the authentication request. It should be noted that apart from its flaws that will be discussed later, this method is a rudimentary technique which does not provide mutual authentication. That is, there is no way for the client to find out if it is talking to a legitimate AP and network [2]. C. Data Integrity To make the system tamper-resistant and verify that the received data has not been subject to transmission errors,
802.11 does not state anything about how IVs should be chosen. Furthermore it doesn’t even require them to change at all.
2 The

Unfortunately, the handling of initialization vectors has not been specified for WEP. Hence, it is absolutely compliant if a mobile station uses the same IV for every packet it sends [3]. Commercial products include a variety of more or less reasonable implementations, ranging from switching between two vectors to random selection or counting from 1 to 224 . C. The IV space was chosen too small As I will explain later, the reuse of a keystream generated by RC4 is a serious risk. However, only 24 bits have been assigned to the IVs, virtually guaranteeing that the same vector will be used for multiple messages. A simple calculation shows that in a busy network with an average bandwidth of 5Mbps the space will be exhausted in less than half a day if they are selected one after another [3]. Implementations chosing IVs randomly will of course statistically reuse them in much less time. VI. E XPLOITS AND WHY WEP FAILS The security flaws mentioned above can be easily exploited by a variety of attacks of active or passive nature. Furthermore an adversary benefits from some basic characteristics of network traffic. To start off, have a look at equation (3). It illustrates the well-known pitfall of stream ciphers that two messages encrypted using the same key (which is made up of the quasistatical k and the frequently reused v) can reveal information about each other [3]. C1 ⊕ C2 = (P1 ⊕ RC4(v, k)) ⊕ (P2 ⊕ RC4(v, k)) = P1 ⊕ P2 (3)

INTERNATIONAL GRADUATE SEMINAR ON INFORMATION TECHNOLOGY: SMART HOMES

3

The P1 ⊕P2 of course does not reveal anything yet, but luckily a lot of the network traffic can be guessed or is partially known. This could be for example a “Password:” prompt or several protocol characteristics like HTTP headers or source and destination IP addresses. With this partial knowledge of one frame, the content of the second one can be gained. Therefore WEP fails to provide confidentiality. The means for verifying data integrity rely on the assumption, that the CRC value can not be compliantly changed because it is encrypted together with the actual data. However, there is a way to modify a whole frame without knowledge of the key or a keystream and without rendering the CRC invalid [3]. Because CRC is a linear function, it distributes over the XOR operation, i.e. CRC(a ⊕ b) = CRC(a) ⊕ CRC(b). As a consequence of that, we are able to intercept communication and make controlled modifications to the transmitted data. Let C be the original frame that decrypts to message M . We can chose an arbitrary ∆ to change the frame to C which in the end decrypts to a message M = M ⊕ ∆ and carries a valid CRC: C = C ⊕ [∆, CRC(∆)] = RC4(v, k) ⊕ [M, CRC(M )] ⊕ [∆, CRC(∆)] = RC4(v, k) ⊕ [M ⊕ ∆, CRC(M ) ⊕ CRC(∆)] = RC4(v, k) ⊕ [M , CRC(M ⊕ ∆)] = RC4(v, k) ⊕ [M , CRC(M )].

(4)

Notice that we do not need knowledge of what is inside the encrypted packet and that ∆ is actually the difference of the two plaintext messages. Because it is obviously possible to modify the content of an encrypted packet without necessarily invalidating its CRC, the WEP goal of providing data integrity is not reached. Moreover, this attack also circumvents the technology intended to provide confidentiality. Since most of the traffic in a wireless network is IP based, this method enables us to precisely change fields in the structured header of the packets. If we make specific changes to the destination address, local traffic could be redirected to a host outside the wireless network where it can be read in plaintext [3]. Another promising attack is trying to catch a corresponding plaintext/ciphertext pair to recover the underlying keystream as shown by Pi ⊕ Ci = Pi ⊕ (Pi ⊕ RC4(v, k)) = RC4(v, k). (5)

especially in its application in WEP, could be helpful for an attacker. The RC4 cipher consists of two parts: the Key Scheduling Algorithm (KSA) and the Pseudo Random Generation Algorithm (PRGA). The KSA turns the key K presented at RC4’s input into an initial permutation S which is then fed to the PRGA. In the next step, the PRGA produces the output bytes by pseudo-randomly selecting values of S. It has been found out that large classes of weak keys exist, in which a small part of the secret key K determines a large number of bits of the initial permutation S. In addition, the PRGA translates these patterns into patterns in the prefix of the output stream and, thus, RC4 has the undesireable property that for these weak keys its initial outputs are disproportionally affected by a small number of key bits. This property is often denoted as the invariance weakness [4]. The second weakness called IV weakness is a related key vulnerability. If K is made up of a secret part and an exposed value (which is the fact for WEP), the secret part can be derived by analyzing the initial word of the keystreams generated by numerous different exposed values [4]. Combining these two weaknesses leads to a practical attack on WEP that can recover the secret key k with a reasonable propability of success. Because the payload of WEP encrypted packets typically consists of ethernet frames, the attacker knows the first byte of clear text, which is always 0xAA in this case. Hence, he is able to gain the first byte of the keystream. Capturing only 60 packets whose IVs follow a certain condition, the attacker can already derive the secret key with a very high chance [4]. As mentioned above, this is likely to happen because the IV space is exhausted in very little time. To sum it all up, an attacker may be able to modify packets, inject traffic, circumvent the authentication process, sneak a peek at the plaintext of packets and even recover the secret key, turning him into a fully qualified member of the network. All of these exploits are very easy to do and have a high propability of success. Therefore it can be stated that WEP totally fails in achieving any of its main security goals. VII. T HE PROPOSED S OLUTIONS Of course a lot of efforts have been made to eliminate those issues. A secure mechanism that could be immediately deployed without major changes to existing installations had to be found. Because the proposed long-term solution to securing wireless links, the IEEE Standard 802.11i [5] was delayed, a part of the draft has been established as a pseudo-standard known as WiFi Protected Access (WPA). The idea was to provide WPA as a software patch without having to replace hardware components. Unfortunately, the cipher algorithm could not be changed to a stronger one, because of the limited computing power of most 802.11 compatible devices. Hence security holes evolving from RC4 itself could not be dealt with in WPA. To reestablish the main security goals, WPA utilizes the Temporal Key Interchange Protocol (TKIP) of 802.11i. TKIP includes an 802.1X based key management scheme to avoid

There is a big chance to catch one because this is what happens during the challenge-response authentication process. The AP sends out a clear text challenge and the client is responding with the encrypted version of exactly this challenge string. Since WEP does not require IVs to change, an attacker could simply reuse this one keystream for every packet he is willing to send. This enables him to send an authorization request and a correct response to the AP, which means that the access control mechanism does not guarantee that a client possesses the secret key at all [3]. All of the attacks discussed above have not been directly headed to technologies like RC4 and CRC-32. We were just exploiting their bad implementation or improper use in WEP. But the RC4 algorithm itself also has some vulnerabilities that,

INTERNATIONAL GRADUATE SEMINAR ON INFORMATION TECHNOLOGY: SMART HOMES

4

key reuse and to ease the key distribution process. It replaces the simple challenge-response authentication of the original 802.11 standard with a more complex and secure mechanism. It also associates a 128-bit Temporal Key (TK) to each succesfully authenticated client to avoid that a single shared key is used for the whole network. More information about 802.1X can be found in [6]. Furthermore, to render keystream reuse and related key attacks impossible, the IVs have been extended to 48 bits and are now specified as a counter. The receiver will not accept packets with smaller or equal IVs to previously received packets any more. To provide even tighter security, the actual RC4 key is no longer a simple concatenation of an IV and the secret key, but a 128-bit hash value of the TK, the 48-bit transmitter address and the IV. To replace the inappropriate linear CRC-32, WPA introduced a Message Integrity Code (MIC) called “Michael”. This MIC consists of a new cryptographic keyed hash function which calculates a 64-bit value as a function of a MIC key, the transmitter and receiver addresses and the message itself. Recent work has shown that weaknesses exist in this improved implementation as well [7]. WPA introduced a temporal key mechanism, but in practice this key is static for the duration a user is connected to the network. Besides, WPA relies on the secrecy of all generated packet keys. If an attacker is able to obtain a single packet key, he can recover the MICkey from it and thus calculate a valid MIC-tag to a packet of his choice. Provided an adversary is able to gain knowledge of two packet keys which were generated using partially identical IVs3 , he can reconstruct the TK within approximately 15 hours of computing on a Pentium 4 computer. The complexity of these calculations is even reduced to about 6-7 minutes if an attacker can get four or more keys [7]. In 2004, the 802.11i standard has finally been released and is now well-known as WPA2. This completely reengineered specification features a variety of new and more complex approaches. First of all, WPA2 is backwards-compatible to avoid locking out older clients. However those stations can not profit from the new Robust Security Network (RSN) and are thus called pre-RSN clients. To distinguish between pre-RSN and RSN clients, 802.11i describes so called RSN Information Elements (RSN IE). The RSN IEs carry information about the capabilities of a station and therefore provide a means of negotiating security concerns like the cipher algorithm that should be used. The RSN was introduced to provide strong association and mutual authentication between all stations including the access point [8]. The authentication and authorization process utilizes the robust 802.1X standard and a four-way handshake built on top of it. This mechanism does not only perform authentication, but also assigns a Pairwise Transient Key (PTK) to the mobile station, which is later used to derive the actual encryption key. It even specifies a different key for handling broadcast traffic, denoted as the Group Transient Key (GTK) [8]. WPA2 features a new Counter-mode/CBC-MAC Protocol
3 More

(CCMP) to provide confidentiality, integrity and replay protection. CCMP uses the strong Advanced Encryption Standard (AES) cipher together with 128-bit keys. As it has already been implemented in WPA, the encryption key is built from the PTK and a 48-bit sequence counter instead of a random IV. The receiver must not accept packets that carry a counter that is lower than previously received ones. But to tighten security even more, a station is forced to receive a new PTK if it exceeds the counter space. More details about the implementation can be found in the 802.11i standard [5]. So far, no practical attack on WPA2 that could eventually reveal information or enable an adversary to become a member of the network is known. However, the four-way handshake can be interfered in order to cause PTK inconsistency which leads to a denial of service [9]. VIII. C ONCLUSION It could be clearly seen that WEP does not match its goals because of the numerous flaws of its simple design. The major security problems that are easily exploitable have mostly been eliminated in WPA. But since WPA is only a wrapper designed around WEP, some issues remained and new critical vulnerabilities have been found. Today’s only feasible security suite for wireless networks is 802.11i or WPA2, because it provides state-of-the-art strong cryptography which is also adequately implemented. However it cannot be instantly deployed because its hardware requirements can not be met by legacy 802.11 hardware. To sum it up, a wireless network can be reasonably secured with the available technology. But as always, security and cryptography is a very delicate task and new flaws will come to light sooner or later. And in the end, security is always dependent on the responsible persons making the right decisions whether or not to adopt a new technology. R EFERENCES
[1] IEEE Standard 802.11-1999. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, 1999 [2] T. Karygiannis, L. Owens. Wireless Network Security. NIST Special Publication 800-48. National Institute of Standards and Technology, U.S. Department of Commerce [3] N. Borisov, I. Goldberg, D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, July 2001 [4] S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography, August 2001 [5] IEEE Standard 802.11i-2004. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004 [6] IEEE Standard 802.1X-2001. Standards for Local and Metropolitan Area Networks - Port-Based Access Control, 2001 [7] V. Moen, H. Raddum, K. J. Hole. Weaknesses in the Temporal Key Hash of WPA. Dept. of Informatics, Univ. of Bergen, 2004 [8] J.-C. Chen, M.-C. Jiang, Y.-W. Liu. Wireless LAN Security and IEEE 802.11i. IEEE Wireless Communications, February 2005 [9] C. He, J. C. Mitchell. Analysis of the 802.11i 4-Way Handshake. Electrical Engineering and Computer Science Departments, Stanford University, 2004

precisely, the 32 most significant bits have to be identical.